1.1. What is an API?

API is an abbreviation for "Application Programming Interface" and is a mechanism for linking one software with another. Some APIs simply exchange information, while others perform some processing, such as updating or translating data, and return the result. The theme of this time, "Web API", is an API that uses web technologies such as HTTP/HTTPS.

APIs can be broadly divided into two types. A public API and a private API.

<Public API>
This API is used for communication with external applications used by other companies and general users. For example, it is used to link with websites, mobile applications, IoT devices, etc.

<Private API>
It is an API used for cooperation and integration between applications in the backend of in-house systems. For example, it is used for linking with legacy applications and linking between Microservices that build systems.

*From here on, "API" is used in the sense of "Web API".

1.2. Threats that API Security Should Prepare for

So what are the threats to APIs?

For example, traditional web application threats such as injection attacks, library vulnerabilities, and bot scraping can also affect APIs. In addition, APIs have their own set of threats, such as design flaws.

The Open Web Application Security Project (OWASP), a non-profit organization that shares and raises awareness of web security, has summarized API-specific vulnerabilities and security risks in the "API Security Top 10 2019"*.

＜OWASP API Security Top10 2019＞

• Inadequate object-level authorization
• Incomplete authentication
• Excessive disclosure of data
• Lack of resources and bandwidth limits
• Absence of function-level authorization
• Bulk assignment
• Misconfigured security
• injection
• improper asset management
• Poor logging and monitoring
  *Source: OWASP API Security Project (https://owasp.org/www-project-api-security/)

These vulnerabilities and risks are API security threats. If you do not take corrective measures, it will lead to the following incidents.

<Possible Incidents>

• Unintentional disclosure, loss or falsification of data
• account takeover
• System intrusion
• Leakage of confidential information such as personal information
• Accessing and Manipulating Unauthorized Features

Such

1.3. Why API Security Matters

So why is API security so important?

Among the "API Security Top 10" introduced earlier, the most common occurrence is said to be "deficiency in object level authorization". This is a threat that WAFs (Web Application Firewalls), which have traditionally been used for web security, cannot detect.

For example, let's say you have an API like this: When sending a request, this API returns the owner information of the phone number at the end of the request.

By rewriting the phone number and sending a request, the attacker can obtain unauthorized owner information. However, since the communication itself is not fraudulent, it cannot be detected by conventional WAFs.

APIs also handle a lot of personal and confidential company information. Therefore, it is easy for attackers to target it, and if it is actually attacked, it is likely to lead to a critical incident. On the other hand, the lack of awareness of the security risks of APIs has also been a factor in being targeted.

In this way, APIs have their own unique threats, so it is important to introduce security measures specific to APIs and protect them appropriately.

1.4. What measures are required for API security?

What kind of measures are actually necessary?

In API development, the development team adds API functions one after another. The security team is required to implement API security measures in both the development and operation phases while coordinating with the development team.

You might think that as long as you develop a secure API in the development phase, such as implementing authentication and authorization correctly, there is no need to take security measures in the operation phase. However, in reality, security measures must be taken continuously even after the development process is over.

This is because APIs that companies do not understand or manage may be targeted. For example, there have been incidents where verification APIs created during the development process were not properly operated and managed, leading to attacks and personal information being leaked.

In order to strengthen security, including APIs that companies do not understand, more advanced measures are required.

So, from here, let's first introduce general API security measures, and then introduce more advanced measures.

2.1. Authentication and Authorization

The public API implements authentication and authorization correctly and enforces authorization appropriately according to the user's privileges. Identify endpoints where authentication/authorization information is handled, and capture authentication/authorization information such as usernames and passwords, API keys and OAuth tokens.

2.2. Schema Validation

Regarding requests/responses, the maximum size of parameters and payloads, presence/absence of values, types, etc. are defined in detail in the schema, and by verifying the actual requests/responses, it is confirmed whether the intended communication is being performed. This makes it possible to detect and block unauthorized communications.

2.3. Rate Limit

Set a rate limit on the number of API executions, for example by setting an upper limit on the number of API calls per second, and set a time after which the limit is reset. This can mitigate the effects of DoS attacks, scraping, etc.

The above are general measures for API security. These manage API execution based on predefined metrics.

In order to achieve a higher level of API security, it is necessary to visualize API risks and detect and block unauthorized communications based on the actual communication destination and request content.

3.1. Advanced measures specific to API security

Advanced API-specific security measures include:

3.1.1. Verification
When the development team creates a new API, there may be problems in the specifications and configuration. These problems may not be detected during operation, so they must be verified, identified, and fixed before operation begins.

3.1.2. Discovery
API configuration may change due to development, and API temporarily prepared for verification/debugging may not be properly managed. In order to ensure API security, all APIs that should be managed by the company must be visualized and properly protected.

3.1.3. Classification
Classify the types of information handled by each endpoint of the API. It is possible to intensively protect confidential information that is particularly important from a security point of view, such as personal information.

3.1.4. Abnormal Detection
From the perspectives of "Discovery," "Classification," and "Authentication," machine learning analyzes and learns normal communications. It is possible to identify, detect, and block request traffic from attackers while allowing only normal traffic to pass through safely.

3.2. Comprehensive measures including API security

As a more advanced measure, it would be desirable to provide comprehensive protection using various solutions, rather than implementing only API-specific measures.

3.2.1. WAFs
APIs are subject to web application vulnerabilities such as injection. As with traditional web applications, WAF protection is effective.

3.2.2. DDoS Protection
APIs are subject to DDoS attacks. A simple rate limit may block legitimate users' communications, so it is desirable to detect and block only communications from attackers.

3.2.3. Bot Protection
Vulnerability scans of websites and hoarding of e-commerce sites are often performed by automated bot communication. APIs in particular are subject to large amounts of information gathering through scraping using bots. There are also sophisticated bots that impersonate legitimate users, so a solution that comprehensively analyzes various information such as fingerprints that identify users and blocks bot communication is required.

3.2.4. Account Takeover Protection
There are many cases where accounts are hijacked and lead to unauthorized API operations, and there are actually financial damages. Slow-rate attacks and distributed attacks that attempt to break through threshold-based countermeasures such as rate limits are emerging. Make multifaceted judgments using various indicators, such as global collection of information such as "IP addresses frequently used in account takeover attacks" and "Are you attempting to log in with account information that has been leaked in the past?" The need is growing.

WAAP (Web Application and API Protection) is a solution that protects APIs and web applications at the same time. In addition to API-specific security measures, you can achieve comprehensive protection that includes threats such as malicious bots, DDoS, and account takeovers.